At Medtronic, nothing is more important to us than the safety of our patients. Medtronic designs and manufactures our products to be as safe and secure as possible, yet accessible to the patients and physicians who depend on them.
Medical devices are potential targets of cyberattacks, and we anticipate those risks to increase and evolve over time. However, Medtronic firmly believes that the therapeutic benefits of our products far outweigh any potential security risks. We continuously monitor the ongoing security of our products and operations and take appropriate action to address vulnerabilities.
Protecting information is critically important to Medtronic. We have strong processes, technologies and people in place to safeguard our products and information and make an active effort to anticipate and prepare for the next threat.
Our global program seeks to protect our information and systems, the information of our business partners, and most importantly, the privacy and safety of the patients and healthcare providers that use our products.
While no system of security can provide 100 percent protection, our information technology infrastructure implements physical, administrative and technical controls designed to protect personal information, along with intellectual property and proprietary information. We have dedicated resources and processes to help prevent, detect and respond to cyber threats, and we monitor the security of our systems and take action to address vulnerabilities.
Protecting Medtronic’s information, systems and products naturally extends to our business partners and vendors, and we expect them to secure their systems in a way that is consistent with our requirements.
Medtronic operates in a heavily regulated medical device industry. We align our oversight and management of cybersecurity based on the International Organization for Standardization/International Electrotechnical Commission’s 27000 series (ISO/IEC 27000) and to the NIST Cybersecurity Framework. We have compliance and development programs in place for the devices, systems and services we sell consistent with applicable medical device regulatory requirements, some of which are listed below.
Medtronic has a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and security current practices to enable the highest levels of security and usability.
We make continuous security improvements to our products throughout their lifecycle, and we continue to review our security practices to minimize and mitigate vulnerabilities as we develop products, including:
Medtronic has proactively established a dedicated, global product security team and coordinated product disclosure program to supplement the robust product security practices already in place. Our internal approach to product security is two-fold:
Externally, Medtronic works closely with government agencies, industry partners and security researchers to enhance security efforts across the medical device and healthcare industries and inform and shape the guidance and regulatory landscape.
With the evolving security landscape, Medtronic makes security improvements to our products, and we continue to review our practices to minimize and mitigate vulnerabilities. While no system of security can provide 100 percent protection, we take measures to address security as our products are developed, once they leave our manufacturing facilities, and as they’re used by patients and healthcare providers. Our teams are focused on building secure products for life, with consideration of the following lifecycle stages:
During planning and design, our teams determine functionality and usability. We conduct a risk-based security analysis to determine appropriate controls. In the testing phase, teams conduct performance and security testing to find vulnerabilities. During the revisioning phase, we redesign the device as needed to address any vulnerabilities found and retest; we repeat as new risks are discovered. The regulatory review phase enables us to partner with regulatory bodies to review the device for safety, security, effectiveness and quality. Once the product is in use by the patient, we track and evaluate security and safety risks and make updates as appropriate. Finally, when we retire a device, we consider security implications of decommissioning.
Throughout the lifecycle of a medical device, we continuously monitor for security risks. We assess and test vulnerabilities based on global standards, engage regulators and communicate appropriate mitigations to key stakeholders.